30
Intrusion Intrusion Detection Systems with Snort Hailun Yan 564-project

Intrusion Detection Systems with Snort

  • Upload
    pier

  • View
    52

  • Download
    0

Embed Size (px)

DESCRIPTION

Intrusion Detection Systems with Snort. Hailun Yan 564-project. Outline. IDS category Installation Procedure Components of Snort Most frequently used functions Testing of Snort/ACID. Components of Security System. A security system consists: Firewalls Intrusion detection systems (IDS) - PowerPoint PPT Presentation

Citation preview

Page 1: Intrusion  Detection Systems with Snort

IntrusionIntrusion Detection Systems with Snort

Hailun Yan564-project

Page 2: Intrusion  Detection Systems with Snort

Outline IDS category Installation Procedure Components of Snort Most frequently used functions Testing of Snort/ACID

Page 3: Intrusion  Detection Systems with Snort

Components of Security System

A security system consists: Firewalls Intrusion detection systems (IDS) Vulnerability assessment tools

Page 4: Intrusion  Detection Systems with Snort

Category of IDS Network Intrusion Detection System (NIDS)

Listens & analyses traffic in a network Capture data package Compare with database signatures

Host-based Intrusion Detection System (HIDS) Installed as an agent of a host Listens & analyses system logs

Page 5: Intrusion  Detection Systems with Snort

Snort-based IDS

Page 6: Intrusion  Detection Systems with Snort

Single Sensor IDS

Page 7: Intrusion  Detection Systems with Snort

Multiple Sensor IDS

Page 8: Intrusion  Detection Systems with Snort

Installation Snort can be download from

http://www.snort.org Supported platform includes:

Linux FreeBSD OpenBSD Solaris AIX HP-UX MacOS Windows

Page 9: Intrusion  Detection Systems with Snort

Installation (Cont.) Pre-installation

Zlib1.2.1 LibPcap0.7.2 MySQL4.0.15 Apache2.0.52 PHP4.3.3

Page 10: Intrusion  Detection Systems with Snort

Installation (Cont.)

Install Snort#> tar –xzvf snort-2.2.0 .tar.gz

#> cd snort-2.2.0

#> ./configure –with-mysql=/usr/local/mysql

#> make

#> make install

Page 11: Intrusion  Detection Systems with Snort

Installation (Cont.)

Install rules and configuration file#> mkdir /etc/snort

#> mkdir /var/log/snort

#> cd rules

#> cp * /etc/snort

#> cd ../etc

#> cp snort.conf /etc/snort

#> cp *.config /etc/snort

Page 12: Intrusion  Detection Systems with Snort

Installation (Cont.)

Snort Configuration (in snort.conf) var HOME_NET 192.168.0.0/24 var RULE_PATH /etc/snort/ output database: log, mysql, user=snort

password=xxx dbname=snort host=localhost

Page 13: Intrusion  Detection Systems with Snort

Installation (Cont.)Setting Up The Database In MySQL mysql> set password for root@localhost=password(‘xxx’);mysql> create database snort;mysql > grant insert, select on root,.* to snort@localhost;mysql> set password for snort@localhost=password(‘xxx’);mysql> grant create, insert, select, delete, update on snort.* to

snort@localhost;mysql> grant create, insert, delete, select, update on snort.* to snort;mysql> exitshell> /usr/local/mysql/bin/mysql –u root –p < ./contrib./create_mysql

snortEnter password: xxx

Page 14: Intrusion  Detection Systems with Snort

Installation (Cont.)

To display alert massages generated by Snort in a web browser

Analysis Console for Intrusion Detection (Acid)

JPGraph ADODB

Page 15: Intrusion  Detection Systems with Snort

Check to See If Everything Is Working

#> /usr/local/apache/bin/apachectl start

#> /usr/local/mysql/bin/mysqld_safe &

#> /usr/local/bin/snort –c /etc/snort/snort.conf –D

#> ping yahoo.com

Page 16: Intrusion  Detection Systems with Snort

Output on ACID

Page 17: Intrusion  Detection Systems with Snort

Components of Snort

A Snort-based IDS contains the following components:

Packet Decoder Preprocessors Detection Engine Logging and Alerting System Output Modules

Page 18: Intrusion  Detection Systems with Snort

Packet Detector Takes packets from different types of

network interfaces Send the packets to the preprocessor Send the packets to the detection

engine

Page 19: Intrusion  Detection Systems with Snort

PreprocessorHackers use different techniques to fool an IDS Exact match: You created a rule to find a signature

“httpd/conf” in HTTP packets, a hacker can easily fool you by modifying the string as “httpd/./conf” or “httpd../httpd/conf”. A preprocessor can rearrange the string so that it is detectable by the

IDS. Packets fragmentation: Hackers can use

fragmentation to hide a signature into several small units to fool the IDS. A Preprocessor can reassemble these small units first and send the whole packet to the detection engine for signature testing.

Page 20: Intrusion  Detection Systems with Snort

The Detection Engine Its responsibility is to detect if any intrusion

activity exists in a packet. It can dissert a packet and apply rules on

different parts of the packet. The IP header of the packet The Transport layer header: e.g. TCP, UDP. The application layer level header: e.g. DNS,

FTP, SNMP, and SMTP Packet payload: you can create a rule to find a

string inside the data.

Page 21: Intrusion  Detection Systems with Snort

Logging and Alerting System The captured packet may be used to log the

activity or generate an alert. Logs are kept in

simple text files tcpdump-style files some other form

log files are stored under /var/log/snort folder by default

use –l parameter to modify the log location

Page 22: Intrusion  Detection Systems with Snort

Output ModulesDepending on the configuration, output modules

can do things like the following: Simply logging to /var/log/snort/alerts file Sending SNMP traps Sending messages to syslog facility Logging to a database like MySQL or Oracle. Generating XML output Modifying configuration on routers and firewalls Sending Server Message Block (SMB) messages

to Microsoft Windows-based machines

Page 23: Intrusion  Detection Systems with Snort

Components of Snort

Page 24: Intrusion  Detection Systems with Snort

Snort Modes

Snort operates in two basic modes: Sniffer mode

Log packages into log files Log files can be analyzed by tcpdump, snort

etc. Simillar tools includes tcpdump, snoop etc.

NIDS mode Rule-based IDS Generate alerts and saved into database Analyzed by ACID software package

Page 25: Intrusion  Detection Systems with Snort

#> snort -v

Sniffing Mode

Page 26: Intrusion  Detection Systems with Snort

Sniffing Mode (Cont.)

Ctrl+C, generate statistics before exiting Snort

Page 27: Intrusion  Detection Systems with Snort

Sniffing Mode (Cont.)

Parameter e allows Snort to capture layer 2 packets

#> snort -ve

Page 28: Intrusion  Detection Systems with Snort

Sniffing Mode (Cont.)

Parameter d allows Snort to capture payload information

#> snort -vd

Page 29: Intrusion  Detection Systems with Snort

Network Intrusion Detection Mode It does not log each captured

packet It applies rules on all captured

packets It read the configuration file

snort.conf and all other files included in it before start

Page 30: Intrusion  Detection Systems with Snort

Structure of A Rule

A Snort rule is divided into two parts: rule header

information about what action a rule takes

criteria for matching a rule against data packets

rule options